Upload
others
View
12
Download
1
Embed Size (px)
Citation preview
Packet Analysis for Network Security
“I am convinced that there are only two
types of companies: those that have been
hacked and those that will be.”
Mueller, R. (2012). Combating Threats in the Cyber World: Outsmarting Terrorists, Hackers, and Spies. [online] FBI. Available at:
https://archives.fbi.gov/archives/news/speeches/combating-threats-in-the-cyber-world-outsmarting-terrorists-hackers-and-spies
[Accessed 29 Jul. 2019].
Agenda
• Why Network Security?
• Attack Frameworks
• Detection analysis techniques
• List of Free Open Source Software (F.O.S.S)
• Overview of Security Onion
• Demo Time
2
Amount of attacks – SSH attack
3
• APNIC 46 Network security workshop, deployed 7
honeypots to a cloud service
• 21,077 attacks in 24 hours
• Top 5 sensors
– training06 (8,431 attacks)
– training01 (5,268 attacks)
– training04 (2,208 attacks)
– training07 (2,025 attacks)
– training03 (1,850 attacks)
Time of attack – RDP attack
4
https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-rdp-exposed-the-threats-thats-already-at-your-door-wp.pdf
last accessed 24/07/2019
The 10 RDP honeypots logged a combined
4,298,513 failed login attempts over a 30-
day period
Legislative requirements
• Government intervention and regulation
– Europe, GDPR (General Data Protection Regulation)
– Australia, Notifiable Data Breaches (NDB) scheme
– United States, various State data breach notification Statutes
– India, Personal Data Protection Bill (Early 2020)
– China, Cybersecurity Law & draft Data Security Administrative
Measures
• Data protection laws of the world
– https://www.dlapiperdataprotection.com
5
Legislative requirements
6
https://www.dlapiperdataprotection.com/index.html
Attack Life Cycle
7
http://www.iacpcybercenter.org/resource-center/what-is-cyber-crime/cyber-attack-lifecycle/
Mitigate Cyber Security incidentsRelative
security
effectiveness
rating
Mitigation strategy Potential
user
resistance
Upfront cost
(staff,
equipment,
technical
complexity)
Ongoing
maintenance
cost (mainly
staff)
Mitigation strategies to detect cyber security incidents and respond
Excellent Continuous incident detection and response with automated
immediate analysis of centralised time-synchronised logs of
permitted and denied: computer events, authentication, file access
and network activity.
Low Very high Very high
Very good Host-based intrusion detection/prevention system to identify
anomalous behaviour during program execution e.g. process
injection, keystroke logging, driver loading and persistence.
Low Medium Medium
Very good Endpoint detection and response software on all computers to
centrally log system behaviour and facilitate incident response.
Microsoft’s free SysMon tool is an entry-level option.
Low Medium Medium
Very good Hunt to discover incidents based on knowledge of adversary
tradecraft. Leverage threat intelligence consisting of analysed
threat data with context enabling mitigating action, not just
indicators of compromise.
Low Very high Very high
Limited Network-based intrusion detection/prevention system using
signatures and heuristics to identify anomalous traffic both
internally and crossing network perimeter boundaries.
Low High Medium
Limited Capture network traffic to and from corporate computers storing
important data or considered as critical assets, and network traffic
traversing the network perimeter, to perform incident detection and
analysis.
Low High Medium
8
https://www.cyber.gov.au/sites/default/files/2019-03/Mitigation_Strategies_2017.pdf
NIST Cybersecurity Framework
9
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
NIST Cybersecurity Framework
• Anomalies and Events (AE) in the Detect (DE) functional
area, there are five subcategories:
– DE.AE-1: A baseline of network operations and expected data flows
for users and systems is established and managed
– DE.AE-2: Detected events are analyzed to understand attack targets
and methods
– DE.AE-3: Event data are aggregated and correlated from multiple
sources and sensors
– DE.AE-4: Impact of events is determined
– DE.AE-5: Incident alert thresholds are established
10
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
NIST Cybersecurity Framework
• DE.AE-2: Detected events are analyzed to understand
attack targets and methods
– CIS CSC 3, 6, 13, 15
– COBIT 5 DSS05.07
– ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8
– ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR 2.12, SR
3.9, SR 6.1, SR 6.2
– ISO/IEC 27001:2013 A.12.4.1, A.16.1.1, A.16.1.4
– NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, SI-4
• AU-6 - Audit Review, Analysis, and Reporting;
• CA-7 – Continious Monitoring;
• IR-4 – Incident Hadling;
• SI-4 – Information System monitoring eg IDS, Automated tools, Alerts.
11
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
ATT&CK Matrix for Enterprise
https://attack.mitre.org – accessed 12th Nov 2018
ATT&CK Matrix for Enterprise
https://attack.mitre.org – accessed 12th Nov 2018
Packet analysis
Signature analysis
• Distinctive marks of known bad traffic used to generate alerts. – virus detection,
– malicious website or
– malware files.
• Distinctive marks include:– IP addresses
– Hostnames
– Offsets – for example, memory related exploit
– Debug information
– “Ego” strings (strings left in the code)
– Header information
Signature analysis
• An example could be detecting a nmap scan of a network by looking at the User-Agent string.
alert tcp $EXTERNAL_NET any -> any any (msg:"Nmap User-Agent
Observed"; flow:to_server,established; content:"User-Agent|3a|";
http_header; content:"|20|Nmap"; sid:1000001; rev:3;)
Session analysis
• Utilises the session metadata to determine what is happening during a session. – which devices causing the traffic
– the type of traffic or
– what data is being transferred.
• Looks at the behaviour of the sessions and looks for behaviour that is not normal.
Session analysis
• An example is once a network has been compromised, Domain Name Services (DNS) may be used to exfiltrate data.
https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
Wireshark filter: “dns.qry.name.len > 20”
Which technique?
• Signature analysis – can be used to create the alert; then
• Session analysis – can help investigate the alert further.
FOSS Tools
• Open source network monitoring and log management tools:– Elasticsearch
– Logstash
– Kibana
– Snort
– Suricata
– Zeek (formerly Bro)
– Sguil
– Squert
– Tcpdump
* FOSS - Free Open Source Software
Log Management
• Logstash– used to gather data from multiple sources and transform it
for storage.
• Elasticsearch– distributed, RESTful search and analytics engine.
• Kibana– Visualisation tool for Elasticsearch and other data sets
https://www.elastic.co/products/
Intrusion Detection tools
• Snort– Intrusion detection system (IDS).
• Suricata– Intrusion detection system (IDS).
Network Monitoring
• Zeek (formerly Bro)– Network traffic analysis tool
• Sguil– collection of free software components for Network Security
Monitoring (NSM) and event driven analysis of IDS alerts
• Squert– web application that is used to query and view event data
stored in a Sguil database.
Packet capture
• TCPdump– command line utility used to capture and analyse packets on
network interfaces.
• Wireshark– utility used to capture and analyse packets on network
interfaces.
• Cloudshark– web-based utility used to analyse packet captures.
Lab Exercise
25
https://academy.apnic.net/en/virtual-labs/
TCPdump command example
# cd /opt/samples
# tcpdump -nn -r fake_av.pcap | wc -l
# tcpdump -nn -r fake_av.pcap | head
# tcpdump -nn -r fake_av.pcap | cut -f 3 -d " " | head
# tcpdump -nn -r fake_av.pcap 'tcp or udp' | cut -f 3 -d " " |
cut -f 1-4 -d "." | head
Display top 10 destinations
# tcpdump -nn -r fake_av.pcap 'tcp or udp' | cut -f 5 -d " " |
cut -f 1-4 -d "." | sort | uniq -c | sort -nr | head
-nn = don’t use DNS to resolve IPs and display port no
-r = replay pcap file
-f = field to select
-d = delimiter to use
TCPdump command example
# tcpdump -nn -r fake_av.pcap 'port 53' | head -5
# tcpdump -nn -r fake_av.pcap 'port 53' | grep -Ev
'(com|net|org|gov|mil|arpa)' | cut -f 9 -d " " | head
# tcpdump -nn -r fake_av.pcap 'port 53' | grep -Ev
'(com|net|org|gov|mil|arpa)' | cut -f 8 -d " " | grep -E '[a-
z]’
If a suspicious domain name is found, use https://www.virustotal.com/gui/home/url
To check if malicious
TCPdump command example
# cd /opt/samples/mta
# for capfile in $(ls *.pcap); do tcpdump -nn -r $capfile
'port 53' | grep -Ev '(com|net|org|gov|mil|arpa)' | cut -f 8
-d " " | grep -E '[a-z]'; done;
Check for plain text passwords in pcap files
# for capfile in $(ls *.pcap); do tcpdump -nn -r $capfile
port http or port ftp or port smtp or port imap or port pop3
or port telnet -lA | egrep -i -B5
'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=
|password=|pass:|user:|username:|password:|login:|pass |user
'; done;
-l = force line buffered mode
-A = include ascii strings from the capture
Security Onion
• Linux-based open source network monitoring and log management toolkit.
• Can be installed as a Virtual Machine (VM) or on a physical machine.
• Best practice is to use two network interfaces:1. Management Network
2. Monitored Network
https://securityonion.net
Security Onion
https://securityonion.readthedocs.io/en/latest/architecture.html
How to Install
• Straight forward, if experience installing Ubuntu 16.04– Download
• https://github.com/Security-Onion-Solutions/security-onion/blob/master/Verify_ISO.md
– Base install is similar to Ubuntu installation
– Once Ubuntu is installed double-click on the setup icon on the desktop.
– Select the evaluation mode, as this will install all the tools on the one machine (standalone).
Security Onion - commands
https://securityonion.readthedocs.io/en/latest/cheat-sheet.html
Command Description
sudo soup Update Security Onion (and Ubuntu)
sudo so-status Check service status
sudo sostat Generate Security Onion statistics
sudo so-start
sudo so-stop
sudo so-restart
Start all services
Stop all services
Restart all services
sudo so-user-add Add user for Sguil/Squert/Kibana
sudo rule-update Update rules after modifying file
sudo so-allow
sudo so-allow-view
Open ports for ufw
View current firewall rules
Security Onion - files
https://securityonion.readthedocs.io/en/latest/cheat-sheet.html
Folder / Files Description
/etc/nsm/ Location of configuration files
/etc/nsm/securityonion.conf Security Onion general settings
/opt/bro
/nsm/bro/logs
Location of Bro files
Location of Bro log files
/etc/elasticsearch Location of ElasticSearch files
/etc/logstash Location of LogStash files
/etc/kibana Location of Kibana files
/var/log Location of log files
/opt/samples Example packet capture files
Security Onion - rules
https://securityonion.readthedocs.io/en/latest/cheat-sheet.html
Folder / Files Description
/etc/nsm/rules/downloaded.rules Downloaded IDS rules
/etc/nsm/rules/local.rules Custom IDS rules
/etc/nsm/rules/threshold.conf Rule thresholds
/etc/nsm/pulledpork/disabledsid.conf Disabled rules by SID
/etc/nsm/pulledpork/modifysid.conf Modified rules
/etc/nsm/pulledpork/pulledpork.conf Pulled Pork Configuration
/etc/elastalert/rules Elastalert rules
Import packet captures
https://securityonion.readthedocs.io/en/latest/pcaps.html
https://securityonion.readthedocs.io/en/latest/so-import-pcap.html
Command Description
sudo tcpreplay -i ens34 -M10 fake_av.pcap Import the packet capture as new
traffic with the current date and
time, using interface ens34, limiting
to 10MB throughput
sudo so-replay Import all the sample packet
captures as new traffic with the
current date and time.
sudo so-import-pcap fake_av.pcap Import the traffic, whilst keeping
the timestamp the same as the
original packet capture date and
times.
Import packet captures
https://securityonion.readthedocs.io/en/latest/so-import-pcap.html
Command Description
capinfos {pcap file} Display statistics about the packet
capture file
tshark -F pcap -r {pcapng file} -w {pcap file} Convert packet capture Next Gen
file to earlier packet capture format
Lab Exercise
37
https://academy.apnic.net/en/virtual-labs/
Exercise
• Import the sample captured (pcap) files /opt/samples/markofu/jackcr-challenge.pcap
/opt/samples/markofu/outbound.pcap
sudo tcpreplay -i ens33 -M10 /opt/samples/markofu/jackcr-challenge.pcap
sudo tcpreplay -i ens33 -M10 /opt/samples/markofu/outbound.pcap
Exercise 1: Squert
• Q1– What type of malicious traffic is suspected?
• Q2: What is the top source IP and destination IP– Source __________, Destination __________ .
• Q3: What is the other IP address communicating with the top source IP?
Exercise 1: Squert
Exercise 1: Squert
Exercise 2: Sguil
• Question: What was the rule that generated the original alert?
Exercise 2: Sguil
Exercise 3: Sguil
• Question: What is the filename of the downloaded suspicious file?
Exercise 3: Sguil
• Question: What is the filename of the downloaded suspicious file?
Exercise 4: Wireshark/Netminer
• Question: Can the downloaded suspicious file be extracted?
Exercise 4: Wireshark
• Question: Can the downloaded suspicious file be extracted?
Exercise 5: Malicious file
• Q1: What is the md5 hash value of the downloaded file?
• Q2: When the hash value is submitted to Virus Total, is it found to be malicious?
Exercise 5: Malicious file
• Q1: What is the md5 hash value of the downloaded file?
• Q2: When the hash value is submitted to Virus Total, is it found to be malicious?
50